Secure Coding mailing list archives
Re: Let's get the ball rolling
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Sun, 07 Dec 2003 17:41:36 +0000
Despite the traffic of the last few days, I'm hoping that the list focuses on that "other stuff" as well. Most software development organizations have not integrated security into their SDLC effectively. I'd be interested in hearing how other organizations have dealt with this. The SSE-CMM (I chaired the group that authored it) focuses on systems engineering, not software specifically. Software development organizations need specific practices for sofware engineering. I'm particularly interested in the most effective of these practices for large-scale software organizations, in the "bang for the buck" sense. Imagine you're a software development manager with a limited budget, and you just realized that you need to start producing more secure software. Do you invest in training developers, better software security requirements, configuration management, better documentation, designing and implementing better security mechanisms, code review and penetration testing, or what? Obviously, one major factor is where you are right now in the development process, since you can't go back and train all the developers after the system is already developed. But what is the calculus for what to do when? And what measurements can you take to be sure that what you do makes good risk management sense? --Jeff Jeff Williams Aspect Security http://www.aspectsecurity.com
Current thread:
- Re: Let's get the ball rolling Jeff Williams @ Aspect (Dec 07)
- Re: Let's get the ball rolling Joe Teff (Dec 08)